Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Windows logoff bug solution possibly.

From: Rage Coder <RageCoder () aim com>
Date: Sun, 11 Feb 2007 13:07:18 -0500
I have posted previously about a bug that seems to cause applications to continue to run when a user logs off and when another users logs on, he/she may be able to access the programs that continued to run after the logoff, for example: 

1. Log on as Administrator
2. Do some stuff
3. Log off, but some programs continue to run
4. Log on as a regular user, programs running from 1,2 may appear and user may be able to access stuff with Administrator privileges.
I now think that ZoneAlarm may have some to play on this. I still think different logons should use different session IDs though.
During logoff today, ZoneAlarm asked me if I wanted to allow Client Server Runtime Process to terminate a process. I clicked yes. This is the first time I have seen this, and so I though that it might be why the programs are not terminating at logoff. If the OS Firewall level for csrss.exe is set to ask but it can not ask, it will be denied. I looked though some previous log files from ZoneAlarm and found some entries with csrss.exe. The action was to terminate a process and it was blocked. This is just a few from the list.
OSFW,2007/02/09,06:16:12 -5:00 GMT,BLOCKED,Client Server Runtime Process,C:\WINDOWS\system32\csrss.exe,PROCESS,TERMINATEPROCESS,DST,C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe OSFW,2007/02/09,06:16:12 -5:00 GMT,BLOCKED,Client Server Runtime Process,C:\WINDOWS\system32\csrss.exe,PROCESS,TERMINATEPROCESS,DST,C:\Program Files\TortoiseSVN\bin\TSVNCache.exe OSFW,2007/02/09,06:16:16 -5:00 GMT,BLOCKED,Client Server Runtime Process,C:\WINDOWS\system32\csrss.exe,PROCESS,TERMINATEPROCESS,DST,C:\Program Files\EssentialPIM Pro\EssentialPIM.exe OSFW,2007/02/09,06:16:20 -5:00 GMT,BLOCKED,Client Server Runtime Process,C:\WINDOWS\system32\csrss.exe,PROCESS,TERMINATEPROCESS,DST,C:\Program Files\GetRight\getright.exe
The list of processes is the same processes that show up as still running from the previous logon when I check task manager. Setting the OS Firewall level to 'Super' for Client Server Runtime Process may fix the logoff problem that I have been discussing. I also think ZoneLabs should make it a 'System,Custom' item instead of 'Auto,Custom', so the user will be warned of any changes. 

RC
Previous By Date Next
Previous By Thread Next

Current thread: